The NIS 2 Era Is Here: Are You Compliance-Ready?

With the deadline for Member States to transpose the European Union’s updated Network and Information Systems Directive (Directive (EU) 2022/2555) (NIS 2 or Directive) into national law, with the Directive having passed on 18 October 2024, organisations operating in or servicing the EU market face significant new cybersecurity obligations. The revised Directive, which repeals and expands on the original NIS framework (NIS 1), broadens its regulatory scope and imposes enhanced compliance requirements to address growing threats in a new era of digitalisation.

Background of the NIS 2 Directive

NIS 1 (introduced in 2018) primarily affected ‘operators of essential services’ and ‘digital service providers’, such as online search engines and cloud services, requiring them to maintain a certain level of cybersecurity. However, NIS 2 expands on these categories, replacing them with ‘essential’ and ‘important’ classifications. If an organisation is deemed ‘important’ or ‘essential’ (defined by various categories, including provision of public electronic communication networks or services, domain name registries, or system service providers — i.e., companies that, if disrupted, could have an effect on public safety, security, or health, or if disruption could result in systemic risks), they are also within scope. Therefore, digital infrastructure and digital providers (including social networking services platforms); manufacturing of critical products such as medical devices; and food, space, postal and courier services, and public administration fall within the broader scope of NIS 2.

New Requirements Under NIS 2

NIS 2 aims to address the increased prevalence of cyber threats across the expanding digital landscape. To bolster security, the Directive imposes comprehensive cybersecurity management and reporting obligations on in-scope organisations. These obligations are structured to prompt entities to actively manage risks, monitor vulnerabilities, and respond to incidents promptly.

Core compliance obligations include:

1. Enhanced security and risk management: Organisations must implement comprehensive cybersecurity measures to address risks across network and information systems, including incident detection, vulnerability disclosure, and data encryption.
2. Incident reporting: In a significant shift from NIS 1, NIS 2 introduces more onerous reporting requirements than the current ‘without undue delay’, and the reporting timelines are in stages. Entities are required to report significant incidents within 24 hours, followed by a more detailed report within 72 hours, and a final report within a month. The definition of ‘significant’ has also been simplified to avoid overreporting. Entities may also be required to notify the general public.
3. Increased management accountability: Senior management must approve and oversee cybersecurity measures and may face personal liability if they fail to meet the requirements set out under NIS 2. A ‘management body’ isn’t defined in the Directive; it will be determined individually by Member States. This requirement underscores the importance of leadership in driving and maintaining cybersecurity standards and undertaking continuous training to ensure they have the necessary skills to assess the risks their entity faces. 
4. Supply chain security: Recognising the risk posed by third-party providers, NIS 2 mandates that organisations actively monitor the security practices of their suppliers and incorporate these into their own risk management processes. NIS 2 applies to both large and medium-size organisations in high-risk sectors and indirectly affects certain small entities through the supply chain, imposing standards for incident response, risk management, and compliance.
5. Regular security audits: Essential entities are subject to regular audits and spot checks, while important entities undergo audits based on reasonable suspicion.

Key Implications for Organisations

Compliance costs: The new obligations under NIS 2 are expected to impose additional costs on entities, particularly those newly subject to these requirements. Compliance measures, including additional staff training, consultation with cybersecurity experts, and technology investments, will require significant planning and budget allocation.

Fines and penalties: NIS 2 allows for stringent penalties for noncompliance. Member States have discretion to implement fines of up to €10 million or 2% of global annual revenue (whichever is higher)for essential entities and €7 million or 1.4% of global annual revenue (whichever is higher) for important entities. Member States also have discretion to implement their own rules on penalties for infringement. This reinforces the EU’s stance on prioritising cybersecurity and serves as a strong deterrent against noncompliance.

Operational adjustments: Affected organisations must integrate NIS 2’s requirements into their existing cybersecurity framework. For example, risk management practices need to be updated, and incident response plans should be revised to accommodate the Directive’s quick turnaround times for reporting.

Steps to Take in Preparation for NIS 2 Compliance

• Applicability assessment: Evaluate whether your organisation qualifies as an ‘essential’ or ‘important’ entity under NIS 2 and assess which services and sectors are affected.
• Resource allocation and protocols revision: Ensure adequate budget and personnel are in place to implement cybersecurity measures, including regular audits, management training, and incident response.
• Cybersecurity expertise engagement: For entities new to EU cybersecurity regulation, consulting with experts can clarify compliance steps, especially for technical aspects such as supply chain security and risk management.
• Strengthening of supply chain security: Evaluate supplier relationships, assess their cybersecurity standards, and ensure they align with NIS 2 requirements.
• Documentation preparation: Entities should establish audit trails and reporting mechanisms to meet the documentation and accountability expectations under NIS 2.
• EU/UK regulatory discrepancies: Organisations operating in both the UK and the EU must also be mindful of regulatory discrepancies, because the UK has opted out of NIS 2 due to Brexit and is pursuing its own Cyber Security and Resilience Bill, anticipated in 2025. This means UK-based entities working with EU clients must align with NIS 2 while remaining compliant with UK cybersecurity standards.

Concluding Insights

With its expansive coverage and stringent compliance measures, the NIS 2 Directive represents a significant step forward in strengthening the EU’s digital security landscape. For organisations, this Directive provides an opportunity to enhance cybersecurity and build resilience against growing digital threats. By preparing now, organisations can not only meet regulatory standards but also strengthen their position as cybersecurity-conscious leaders in their industries.

For assistance with NIS 2 compliance and guidance on implementing effective cybersecurity measures, please contact our Data Privacy & Cybersecurity team.

We would like to thank Mihaela Angelova for her assistance with this alert.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.